JP2002196671A - Calculating device for executing cryptographic protocol - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a calculating device for deciding the inverse of an integer modulo of a large number. SOLUTION: The device is provided with means (12, M, SE1) for providing a series of binary numbers which are prime numbers of the large number, means (Ga, 14) for dividing the number into two groups at random, and means (Mu, 16, 18) for executing the products of the numbers of each group.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

FIELD OF THE INVENTION The present invention relates to a computing device for the execution of at least a part of a cryptographic protocol including the determination of the inverse of a large number of modulo integers. The invention more particularly relates to means for quickly determining this type of reciprocal.

[0002]

2. Description of the Related Art Cryptographic protocols include, for example, digital signature algorithm (DSA) and elliptic curve DSA (ECD).
Some, known as SA), have to repeatedly calculate the reciprocal of a large number of modulo random integers. For more details on such protocols, see IEEE Publication P1363 / D13 and specifically Sections 6.2.7 and 7.27 thereof. Such large numbers are denoted by N in the rest of the description.

[0003] If the product of two numbers is exactly equal to the large number modulo one, then the two numbers are inverses of each other. For example, equations 3 and 5 are 1
The modulo of 4 is the reciprocal of each other. This is 3x5
= 15≡1 according to modulo 14.

One prior art method of performing this calculation is:
Based on the following equation: y = x ^-1 = x ^{φ (N) -1} [modulo] N Here, φ (N) is an integer of a prime number of N smaller than N.
This is Euler's "totient" function. If N is a prime number, the following simplification is valid. φ (N) = N−1 Thus, in the end, in y = x ⁻¹ = x ^N−2 binary, this calculation is given as n = log ₂ N
This requires 3n / 2 multiplications of nxn bits, in other words, on the order of 160 multiplications in practice.

[0005]

SUMMARY OF THE INVENTION The present invention proposes a faster calculation method in which two numbers, which are mutually inverse modulos of N, are simultaneously generated by a specific calculation, for example based on a random number.

[0006]

More precisely, the present invention provides a computing device adapted to implement at least a portion of a cryptographic protocol that involves determining a reciprocal of a large number (N) of modulo integers. A method for providing a series of binary numbers (S ₀ , S _k ) that is less than the large number and a prime number thereof, the number from the series (S ₀ )
Implements the means being the reciprocal of the product of another of the large number (N) of modulos, the means for randomly dividing all of the series of numbers into two groups, and the product of the numbers of each group. Means for forming two predetermined numbers, the result of such a product being the reciprocal of each other.

[0007] Two numbers are a common divisor
, The two numbers are prime to each other.

[0008] A preferred embodiment of the computing device comprises means for forming a random number (e) and one at the beginning of each computation.
Means for representing two of a predetermined number (x, y) which are initialized to the bits of the random binary number one by one and further selecting a corresponding number from the series. Means for further multiplying the corresponding value of one of the predetermined two numbers by the corresponding value if the bit is equal to zero, or two predetermined numbers if the bit is equal to one. Means for multiplying the current value of the other of the numbers by the corresponding number, the result of the multiplication respectively forming a new current value of one or the other of the two predetermined numbers, and Means for performing said selection of said two numbers, said means for representing two numbers comprising means for forming two predetermined numbers which are reciprocals of one another.

In one embodiment, the means for providing the series of binary numbers comprises means for storing the numbers that make up the series. These numbers are pre-calculated in a preliminary step, which does not need to be performed again, each time a pair of numbers, which are the reciprocals of N modulo each other, is calculated.

[0010] Another embodiment of the means for providing the series comprises means for generating at least some numbers of the series in real time.

[0011] If most of the number of the sets is a fast execution function,
on), if the number can be calculated using the cited first embodiment, where the number is read from memory,
Time is saved.

The precomputing means comprises means for determining the number of sets (sets) which are prime numbers of said large number N, said number of sets forming said series. The pre-computing means comprises means for determining the reciprocal of the product of the number of the set of modulo of the large number N;
The reciprocal forms a particular number from the series and completes it further.

If all the numbers in the series have to be stored, the precomputing means is used once and all the results are stored. On the other hand, if some numbers of the set are determined by an instantaneous calculation, the pre-computation means are used to select a number from the respective recomputable set based on the use of an immediate execution function. . Making it possible to "find" a suitable immediate execution function is a choice of numbers from the series. When the function is determined and "executed", on the one hand forms a starting point for calculating another number of the set, storing the number from the set and on the other hand the set (modulo N) It is generally sufficient to store the reciprocal of the product of the numbers Essentially by calculation, it is necessary to determine the series, all elements are then applicable.

For example, the computing device can comprise storage means containing on the one hand the minimum number of the set and on the other hand the reciprocal of the product of the number of the large number N of modulo sets, and the generating means further comprises: , Successively applying an immediate execution function, starting from the smallest number and determining the sequence of numbers making up the set, the series comprising the number and the reciprocal. Formed by

In a preferred example, the immediate execution function determines each number by adding one to the previous number. This type of immediate execution function is especially usable if the number N is a prime number. If not, it is often possible to find a range of numbers where all consecutive numbers are smaller than the large number N and are prime numbers thereof.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be better understood and further advantages of the invention will appear more clearly on reading the following description of various embodiments of a computing device according to the invention and with reference to the accompanying drawings, in which: FIG. . The description of the present invention has been presented only by way of example.

[0017]

DESCRIPTION OF THE PREFERRED EMBODIMENTS The functions of a computing device defined above are justified by the following proof. Making S ₀ the reciprocal of the modulo N of the product of a set of k integers from S ₁ to S _k , all of which are prime numbers of the number N less than the large number N;

(Equation 1) And the procedure. It is shown that S ₀ is also a prime number of N.

(Equation 2) Can be easily confirmed.

Eventually, if this product of k + 1 numbers S _i is randomly divided into two group numbers, and if the respective products Π ₁ and Π ₂ of the numbers from the two groups are If obtained, the products Π ₁ and Π ₂
The two numbers x and y formed from are the reciprocals of N modulo each other.

In other words, the basic principle of the invention leads to a procedure for selecting a number k and a large number N, for example, and then in a pre-computation stage, on the other hand, with all prime numbers N smaller than N determination procedure, and on the other hand, an additional number S ₀ forming the reciprocal of the product of the number S ₁ · · · S _k modulo of N to determine a set of one k-number S ₁ · · · S _k Guide you through the steps. Having performed this pre-computation, a series of k + 1 binary numbers is applicable. In performing cryptographic calculations to determine two numbers x, y, which are N modulo inverses of each other, these numbers can be stored, for example, so that they can be used whenever needed.

A suitable calculation method can proceed according to the flowchart of FIG. Procedure E1 is an initialization stage,
The two values x and y are initialized to 1 (which is a neutral element of the multiplication).

The k + 1-bit binary number e is randomly selected and formed from k + 1 bits (e ₁ ... E _k ) each having a value of 0 or 1. Procedure E2 initializes the count i to zero. The procedure E3 is a test for checking whether or not the coefficient i is larger than k. A positive test result indicates the end of the calculation. A negative test result leads to procedure E5.
Step E4 is "seek" the number S _i. If S _i is stored, this operation simply consists of reading one of the numbers in memory. However, as noted above, it is possible to calculate most of the numbers S _i in real time (except for S ₀ , which is the subject of certain pre-computations). Eventually, in step E3, either the value in memory can be read or it can be recalculated using the "immediate execution" function. The procedure E5 determines the value of the i-th bit of the number e selected at random. If the bit is equal to 1, the next procedure is procedure E6. If the bit is equal to 0, the next procedure is E7. Procedure E
6 multiplies the previous value y by the number S _i , resulting in a new value y. The next procedure is procedure E8. Procedure E7
Multiplies the previous value x by the number S _i , resulting in a new value x. The next procedure is procedure E8. Step E8 is
Increment i by one unit, return to procedure E3,
Is greater than k.

If the result of test E4 is positive, the two values x and y represent two predetermined numbers which are mutually the inverse of N modulo.

FIG. 2 is a block diagram showing the means for executing the algorithm described by the flowchart of FIG. Block 12 shows the pre-computing means,
Block 13 is a unique calculation means (calculation).
Means property is shown.

The pre-calculation means calculates the large number N as a prime number.
It comprises a generator Gp for a number. These numbers
Has the form of a w-bit character (word). Genere
The data Gp represents a sequence of N prime numbers (succession).
Generate these numbers S ₁... S_i... S_kIs
It is stored in a memory M which is a part of the calculating means 13.

In parallel, the numbers S ₁ -S _k are sent to a circuit Inv for calculating the number S ₀ . The number S ₀ is calculated from the numbers S ₁ to S
It is the reciprocal of the product up to _k . When this calculation is completed, the value S ₀
Are stored in the memory M. Since the value of the number S ₀ -S _k is stored in the memory M, the pre-calculation means can be separated from the calculation means 13 at this point. The computing device comprises a random number generator Ga for generating a k + 1-bit random number, which is connected to a register 14 for storing a k + 1-bit random number e. At the beginning of the calculation process, the generator Ga writes a random number in the register 14.

The memory M is connected to a selector SE1 whose output is connected to one of the inputs of the multiplier Mu. Selector SE2 has its output connected to another input of multiplier Mu. The output of the multiplier is two registers 16, 1
8 connected to the input of a router AI having two outputs connected to respective inputs of the two registers 16,
At 18 are entered two variables x and y which are the result of the product of numbers from the series S ₀ -S _k . The two outputs of registers x and y are looped to the two inputs of selector SE2. By reading the register 14 bit by bit, the setting of both the selector SE2 and the router AI is controlled.

More precisely, the bits of register 14, e
₀ ··· e _i ··· e _k, each iteration (iter
If the associated bit e _i is equal to one, selector SE2 connects the output of register 16 to the input of multiplier Mu and router AI connects the output of multiplier Mu to the input of register Mu. Connect to input. Similarly, if e _i is equal to 0, selector SE2 connects the output of register 18 to the input of multiplier Mu, and the router AI
Connects the output of the multiplier Mu to the input of the register 18.

In parallel with this, in each iteration, the selector SE1 sends the numbers S ₀ -S _k one after the other to another input of the multiplier Mu.

Eventually, at each iteration, the contents of register 16 or 18 (depending on the value of e _i ) are multiplied by the number S _i , and the result is placed in the same register, overwriting the previous value. Is done. When all the numbers S ₀ -S _k have been processed, registers 16 and 18 contain two numbers that are N modulo inverses of each other.

FIG. 3 shows an embodiment basically different from the embodiment of FIG. 2 in the method for obtaining the number S _i . Overall, the pre-computing means 12 is identical to that of the embodiment of FIG. 1, ie they are generators for generating numbers that are prime numbers of the large number N, and from the numbers S ₁ -S _k It basically comprises a circuit Inv for generating the number S ₀ .

However, in this example, the number N is a chosen prime number. After all, any sequence of consecutive numbers S _i is a series of numbers that are prime numbers of N. Therefore, the previously obtained number S _i is 1
, It is possible to form an immediate execution function that simply finds one of the numbers. S _{i + 1} = S _i +1

In this case, the minimum number S _{1 of the} set is any selected number. Therefore, the pre-calculation means 12
Set of numbers S _i determined by the need not to be stored is sent for use by computing means 13. It is simply sufficient to store the minimum number S _{1 of the} set and the number S ₀ calculated by the circuit Inv.

Assuming that these two numbers are stored in the two registers 20 and 21 of the calculating means 13, it is sufficient to add means 22 for applying an immediate execution function to the calculating means. Is S _{i + 1} = S _i +1.

Under these conditions, the selector SE1 is connected to the output of the means 22 and to the outputs of the two registers 20 and 21. In other words, in a series of numbers S ₀ ... S _k , only the numbers S ₀ and S ₁ are stored in the register, and all others S
₂ to S _k are calculated by means 22 in real time. _Determining a larger part of the number S _i by an immediate calculation of the kind indicated above saves time as compared to the previous embodiment where reading each number in memory was required. I understand.

Apart from the means connecting to the selector SE1, the rest of the calculating means 13 is identical to the embodiment of FIG. 2, and for this reason will not be described again in detail. Its function The selector SE1 is in the corresponding assumption it is possible "to preset" input of the multiplier Mu a number S _i consecutive in each iteration of the calculation is the same.

It should be understood that the embodiment of FIG. 3 may also be satisfactory even when the number N is not a prime number. In this case, it is generally possible to determine a succession of k consecutive integers, all prime numbers of the number N.

This condition is satisfied if the minimum prime factor of N (ta
ctor) (displayed in p) _{is, S 1 + (k-1} ) is greater than the particularly adapted.

In this case, since p is a prime number, the sequence S ₁ , S ₁ +1... S ₁ + k−1 is formed from k consecutive integers, which are prime numbers of p, and thus of N. Is done. In this case, as already described, a means 20 for applying an immediate execution function is available, ie the function is: S _{i + 1} = S _i +1

[0039] If when the above conditions are not met, if if p ≦ S ₁ + In other words (k-1), p is a prime number, because each time one is added to the S _i, S ₁ Is p
Is chosen to be a prime number. A test is performed to determine if the determined number is a prime number of p and p
Only the numbers that are primes of are retained. In this case, instead of a series of consecutive numbers, many groups of consecutive numbers, all of which are prime numbers of N, are determined. The definition of immediate execution function, the number of sets from S ₂ to S _k in real time, it is appropriate to modify at any time according to a possible recalculation when necessary.

More generally, whenever an immediate execution function can be formed from an appropriate choice of prime numbers of N derived by generator Gp, an implementation of the type described with reference to FIG. Can be used.

It should further be appreciated that it is advantageous to select the series from smaller numbers, all smaller than the large number N, all of which are prime numbers. The large number N can be a 163-bit binary number and the number w can be a 32-bit binary number to give an idea of the order of magnitude associated. , And k can be equal to 160.

[Brief description of the drawings]

FIG. 1 is a flowchart illustrating various calculation procedures for determining two numbers, which are the reciprocals of a large number N of each other modulo.

FIG. 2 is a block diagram of a first embodiment of a computing device according to the present invention.

FIG. 3 is a block diagram of another embodiment of the computing device according to the present invention.

[Explanation of symbols]

 12 Pre-calculation means 13 Specific calculation means 14 Register 16 Register 18 Register Gp Generator Inv Circuit Ga Random number generator M Memory SE1 Selector SE2 Selector Mu Multiplier AI Router

Claims (13)

[Claims] 1. A computing device adapted to execute at least a part of a cryptographic protocol comprising determining a reciprocal of a large number (N) of modulo integers, the computing device being a prime number less than the large number. , Means for providing a series of binary numbers (S ₀ , S _k ) (12, M, SE
1) wherein the number (S ₀ ) from the series is the reciprocal of the product of another of the modulo of the large number (N); (Ga, 14) and means (Mu, 1) for executing the product of the numbers of the groups.
6, 18), wherein means for forming two predetermined numbers whose result of such a product is the reciprocal of each other. 2. Means (Ga, 14) for generating a random number (e) and two for representing a predetermined number (x, y) initialized to 1 at the beginning of each calculation. Means (16, 18) and means (SE) for selecting the bits of the random binary number one by one and further selecting the corresponding number from the series.
1, SE2) and means (Mu) for multiplying the corresponding value by the current value of one of the predetermined two numbers if the bit is equal to 0, or if the bit is equal to 1 Means (Mu) for multiplying said corresponding number by the current value of the other of the two predetermined numbers, wherein the result of said multiplication is the new current value of one or the other of the predetermined two numbers Means (Mu), each forming and the above operation being performed on all said selections, wherein the final current value contained in said means representing two numbers forms a predetermined two numbers which are reciprocals of each other. 2. The computing device according to claim 1, further comprising: 3. The computing device according to claim 1, wherein the computing device comprises or is associated with pre-calculating means for pre-calculating the series of numbers for storing them.
Or the computing device according to 2. 4. The pre-computing means comprises means (Gp) for determining a number of sets that are prime numbers of said large number (N), said sets forming said series of numbers. Yes,
Further, the pre-computing means comprises means for determining a reciprocal of a product of said set of modulo of said large number (N), said reciprocal forming a number from said series. The computing device according to claim 3, wherein: 5. A method according to claim 1, wherein said means for forming said series comprises means (M) for storing a number thereof. Computing device. 6. A method according to claim 1, wherein said means for forming said series comprises means for generating in real time some of said series. The computing device according to claim 1. 7. The computing means comprises a storage means (20,2) containing, on the one hand, the minimum number of said set and, on the other hand, the reciprocal of the product of said large number (N) of modulo sets.
(22) further comprising: (22) the generating means for continuously applying an immediate execution function to obtain a sequence of numbers constituting the set, starting from the minimum number. The computing device according to claim 6, wherein the sequence is formed by the number and the reciprocal. 8. The computing device according to claim 7, wherein the immediate execution function obtains each number by adding 1 to a previous number. 9. The system according to claim 8, wherein said large number (N) is a selected prime number, and said minimum number of said set contained in said storage means is any selected number. A computing device according to claim 1. 10. The large number (N) is any selected number and the minimum number of the set is selected within a range of consecutive integers that are all prime numbers of the large number. 9. The computing device according to claim 8, wherein the minimum number of said set of consecutive numbers. 11. The computing device according to claim 1, wherein the series of numbers is selected from the smallest number that is a prime number of the large number (N). 12. A cryptographic device comprising means for implementing the DSA cryptographic protocol and comprising a computing device according to any one of claims 1 to 11. . 13. A cryptographic device comprising means for implementing the ECDSA cryptographic protocol and comprising a computing device according to any one of claims 1 to 11. .